Is Prevention Better Than Cure? Effects of Cyber Risk Disclosures on Shareholder Response to Breaches

References

• Acquisti A, Friedman A, Telang R (2006) Is there a cost to privacy breaches? An event study. Proc. 27th ICIS (Association for Information Systems, Atlanta), 1563–1580.Google Scholar
• Aggarwal RK, Samwick AA (2006) Empire-builders and shirkers: Investment, firm performance, and managerial incentives. J. Corporate Finance 12(3):489–515.Crossref, Google Scholar
• Anderson R (2002) Unsettling parallels between security and the environment. Workshop Econom. Inform. Security (Berkeley), 16–17, https://infosecon.net/workshop/downloads/2002/txt/37.txt.Google Scholar
• Anderson R, Moore T (2006) The economics of information security. Science 314(5799):610–613.Crossref, Google Scholar
• Angrist JD, Imbens GW, Krueger AB (1999) Jackknife instrumental variables estimation. J. Appl. Econometrics 14(1):57–67.Crossref, Google Scholar
• Ashraf M (2022) The role of peer events in corporate governance: Evidence from data breaches. Accounting Rev. 97(2):1–24.Crossref, Google Scholar
• Barberis NC (2013) Thirty years of prospect theory in economics: A review and assessment. J. Econom. Perspective 27(1):173–196.Crossref, Google Scholar
• Barberis N, Huang M (2001) Mental accounting, loss aversion, and individual stock returns. J. Finance 56(4):1247–1292.Crossref, Google Scholar
• Bardhan I, Krishnan V, Lin S (2013) Research note—Business value of information technology: Testing the interaction effect of IT and R&D on Tobin’s Q. Inform. Systems Res. 24(4):1147–1161.Link, Google Scholar
• Baskerville R (2005) Best practices in IT risk management: Buying safeguards, designing security architecture, or managing information risk. Cutter Benchmark Rev. 5(12):5–12.Google Scholar
• Baskerville R, Spagnoletti P, Kim J (2014) Incident-centered information security: Managing a strategic balance between prevention and response. Inform. Management 51(1):138–151.Crossref, Google Scholar
• Benaroch M, Chernobai A (2017) Operational IT failures, IT value destruction, and board-level IT governance changes. MIS Quart. 41(3):729–762.Crossref, Google Scholar
• Benartzi S, Thaler RH (1995) Myopic loss aversion and the equity. Quart. J. Econom. 110(1):73–92.Crossref, Google Scholar
• Berkman H, Jona J, Lee G, Soderstrom N (2018) Cybersecurity awareness and market valuations. J. Accounting Public Policy 37(6):508–526.Crossref, Google Scholar
• Boatright JR (2010) Finance Ethics: Critical Issues in Theory and Practice (John Wiley & Sons, Hoboken, NJ).Crossref, Google Scholar
• Bodnaruk A, Simonov A (2016) Loss-averse preferences, performance, and career success of institutional investors. Rev. Financial Stud. 29(11):3140–3176.Crossref, Google Scholar
• Burns N, Minnick K, Smith AH (2021) The role of directors with related supply chain industry experience in corporate acquisition decisions. J. Corporate Finance 67:101911.Crossref, Google Scholar
• Calderon TG, Gao L (2022) Changes in corporate cybersecurity risk disclosures after SEC comment letters. J. Accounting Public Policy 41(5):106993.Crossref, Google Scholar
• Callahan C, Song R, Shi W, Veenstra KJ, McNamara G (2024) A contingency view of impression management: Heterogeneous investor responses to CEO positive portrayal of mergers and acquisitions. J. Management Stud. 62(2):812–849.Google Scholar
• Campbell K, Gordon LA, Loeb MP, Zhou L (2003) The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. J. Comput. Security 11(3):431–448.Crossref, Google Scholar
• Capron L, Pistre N (2002) When do acquirers earn abnormal returns? Strategic Management J. 23(9):781–794.Crossref, Google Scholar
• Cassell CA, Dreher LM, Myers LA (2013) Reviewing the SEC’s review process: 10-K comment letters and the cost of remediation. Accounting Rev. 88(6):1875–1908.Crossref, Google Scholar
• Cavusoglu H, Mishra B, Raghunathan S (2004) The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. Internat. J. Electronic Commerce 9(1):70–104.Crossref, Google Scholar
• Chen J, Henry E, Jiang X (2023) Is cybersecurity risk factor disclosure informative? Evidence from disclosures following a data breach. J. Bus. Ethics 187(1):199–224.Crossref, Google Scholar
• Chen T, Harford J, Lin C (2015) Do analysts matter for governance? Evidence from natural experiments. J. Financial Econom. 115(2):383–410.Crossref, Google Scholar
• Chen PY, Kataria G, Krishnan R (2011) Correlated failures, diversification, and information security risk management. MIS Quart. 35(2):397–422.Crossref, Google Scholar
• Chen T, Xie L, Zhang Y (2017) How does analysts’ forecast quality relate to corporate investment efficiency? J. Corporate Finance 43:217–240.Crossref, Google Scholar
• Chen CYH, Fengler MR, Härdle WK, Liu Y (2022) Media-expressed tone, option characteristics, and stock return predictability. J. Econom. Dynamic Control 134:104290.Crossref, Google Scholar
• Chen K, Li X, Luo P, Zhao JL (2021) News-induced dynamic networks for market signaling: Understanding the impact of news on firm equity value. Inform. Systems Res. 32(2):356–377.Link, Google Scholar
• Cheng M, Dhaliwal D, Zhang Y (2013) Does investment efficiency improve after the disclosure of material weaknesses in internal control over financial reporting? J. Accounting Econom. 56(1):1–18.Crossref, Google Scholar
• Cooper S, Slack R (2015) Reporting practice, impression management and company performance: A longitudinal and comparative analysis of water leakage disclosure. Accounting Bus. Res. 45(6–7):801–840.Crossref, Google Scholar
• Correia S (2015) Singletons, cluster-robust standard errors and fixed effects: A bad mix. Technical note, Duke University, Durham, NC.Google Scholar
• Culnan MJ, Williams CC (2009) How ethics can enhance organizational privacy: Lessons from the choicepoint and TJX data breaches. MIS Quart. 33(4):673–687.Crossref, Google Scholar
• Cummings J, Dennis AR (2018) Virtual first impressions matter. MIS Quart. 42(3):697–717.Crossref, Google Scholar
• D’Arcy J, Basoglu A (2022) The influences of public and institutional pressure on firms’ cybersecurity disclosures. J. Assoc. Inform. Systems 23(3):779–805.Google Scholar
• Danbolt J, Siganos A, Vagenas-Nanos E (2015) Investor sentiment and bidder announcement abnormal returns. J. Corporate Finance 33:164–179.Crossref, Google Scholar
• Demaline C (2020) Disclosure readability of firms investigated for books-and-records infractions: An impression management perspective. J. Financial Rep. Accounting 18(1):131–145.Crossref, Google Scholar
• Devlin J, Chang M-W, Lee K, Toutanova K (2018) BERT: Pre-training of deep bidirectional transformers for language understanding. Preprint, submitted October 11, https://arxiv.org/abs/1810.04805.Google Scholar
• DiMaggio PJ, Powell WW (1983) The iron cage revisited: Institutional isomorphism and collective rationality in organizational fields. Amer. Sociol. Rev. 48(2):147–160.Crossref, Google Scholar
• Dong Z, Fan X, Peng Z (2024) FNSPID: A comprehensive financial news dataset in time series. Preprint, submitted February 9, https://arxiv.org/abs/2402.06698.Google Scholar
• Dorobantu S, Henisz WJ, Nartey L (2017) Not all sparks light a fire: Stakeholder and shareholder reactions to critical events in contested markets. Admin. Sci. Quart. 62(3):561–597.Crossref, Google Scholar
• Dos Santos BL, Peffers K, Mauer DC (1993) The impact of information technology investment announcements on the market value of the firm. Inform. Systems Res. 4(1):1–23.Link, Google Scholar
• Eisenhardt KM (1989) Agency theory: An assessment and review. Acad. Management Rev. 14(1):57–74.Crossref, Google Scholar
• Ettredge ML, Richardson VJ (2003) Information transfer among internet firms: The case of hacker attacks. J. Inform. Systems 17(2):71–82.Crossref, Google Scholar
• Fama EF (1970) Efficient capital markets. J. Finance 25(2):383–417.Crossref, Google Scholar
• Florackis C, Louca C, Michaely R, Weber M (2023) Cybersecurity risk. Rev. Financial Stud. 36(1):351–407.Crossref, Google Scholar
• Foerderer J, Schuetz SW (2022) Data breach announcements and stock market reactions: A matter of timing? Management Sci. 68(10):7298–7322.Link, Google Scholar
• Gao L, Calderon TG, Tang F (2020) Public companies’ cybersecurity risk disclosures. Internat. J. Accounting Inform. Systems 38:100468.Crossref, Google Scholar
• Gentry RJ, Shen W (2013) The impacts of performance relative to analyst forecasts and analyst coverage on firm R&D intensity. Strategic Management J. 34(1):121–130.Crossref, Google Scholar
• Godfrey PC, Merrill CB, Hansen JM (2009) The relationship between corporate social responsibility and shareholder value: An empirical test of the risk management hypothesis. Strategic Management J. 30(4):425–445.Crossref, Google Scholar
• Gordon LA, Loeb MP, Lucyshyn W (2003) Information security expenditures and real options: A wait-and-see approach. Comput. Security J. 19(2):1–7.Google Scholar
• Gordon LA, Loeb MP, Sohail T (2010) Market value of voluntary disclosures concerning information security. MIS Quart. 34(3):567–594.Crossref, Google Scholar
• Gordon LA, Loeb MP, Zhou L (2020) Integrating cost–Benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb Model. J. Cybersecurity 6(1):1–8.Crossref, Google Scholar
• Gordon LA, Loeb MP, Sohail T, Tseng CY, Zhou L (2008) Cybersecurity, capital allocations and management control systems. Eur. Accounting Rev. 17(2):215–241.Crossref, Google Scholar
• Griffin PA (2003) Got information? Investor response to Form 10-K and Form 10-Q EDGAR filings. Rev. Accounting Stud. 8:433–460. Crossref, Google Scholar
• Haislip J, Lim JH, Pinsker R (2021) The impact of executives’ IT expertise on reported data security breaches. Inform. Systems Res. 32(2):318–334.Link, Google Scholar
• Havakhor T, Rahman MS, Zhang T (2021) Disclosure of cybersecurity investments and the cost of capital. Preprint, February 12, https://dx.doi.org/10.2139/ssrn.3553470.Google Scholar
• Havakhor T, Sabherwal S, Sabherwal R, Steelman ZR (2022) Evaluating information technology investments: Insights from executives’ trades. MIS Quart. 46(2):1165–1193.Crossref, Google Scholar
• Herath T, Rao HR (2009) Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2):154–165.Crossref, Google Scholar
• Hovav A, D’arcy J (2005) Capital market reaction to defective IT products: The case of computer viruses. Computers Security 24(5):409–424.Crossref, Google Scholar
• Huang HH, Wang C (2021) Do banks price firms’ data breaches? Accounting Rev. 96(3):261–286.Crossref, Google Scholar
• IBM Security (2017) 2017 Cost of data breach study: United States. Report, Ponemon Institute Traverse City, MI.Google Scholar
• Jensen MC, Meckling WH (1976) Theory of the firm: Managerial behavior, agency costs and ownership structure. J. Financial Econom. 3:305–336.Crossref, Google Scholar
• Jiang F, Lee J, Martin X, Zhou G (2019) Manager sentiment and stock returns. J. Financial Econom. 132(1):126–149.Crossref, Google Scholar
• Johnson WC, Xie W, Yi S (2014) Corporate fraud and the value of reputations in the product market. J. Corporate Finance 25:16–39.Crossref, Google Scholar
• Kahneman D, Tversky A (1979) Prospect theory: An analysis of decision under risk. Econometrica 47:263–291.Crossref, Google Scholar
• Kamiya S, Kang JK, Kim J, Milidonis A, Stulz RM (2021) Risk management, firm reputation, and the impact of successful cyberattacks on target firms. J. Financial Econom. 139(3):719–749.Crossref, Google Scholar
• Klein A, Manini R, Shi Y (2022) Across the pond: How US firms’ boards of directors adapted to the passage of the general data protection regulation. Contemporary Accounting Res. 39(1):199–233.Crossref, Google Scholar
• Koh PS, Qian C, Wang H (2014) Firm litigation risk and the insurance value of corporate social performance. Strategic Management J. 35(10):1464–1482.Crossref, Google Scholar
• Kwon J, Johnson ME (2014) Proactive versus reactive security investments in the healthcare sector. MIS Quart. 38(2):451.Crossref, Google Scholar
• Lang MH, Lins KV, Miller DP (2004) Concentrated control, analyst following, and valuation: Do analysts matter most when investors are protected least? J. Accounting Res. 42(3):589–623.Crossref, Google Scholar
• Li H, No WG, Wang T (2018) SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. Internat. J. Accounting Inform. Systems 30:40–55.Crossref, Google Scholar
• Li K, Mai F, Shen R, Yan X (2020) Measuring corporate culture using machine learning. Rev. Financial Stud. 34(7):3265–3315.Crossref, Google Scholar
• Linsley PM, Shrives PJ (2006) Risk reporting: A study of risk disclosures in the annual reports of UK companies. British Accounting Rev. 38(4):387–404.Crossref, Google Scholar
• Loughran T, McDonald B (2011) When is a liability not a liability? Textual analysis, dictionaries, and 10-Ks. J. Finance 66(1):35–65.Crossref, Google Scholar
• Lyle MR, Riedl EJ, Siano F (2023) Changes in risk factor disclosures and the variance risk premium. Accounting Rev. 98(6):327–352.Crossref, Google Scholar
• Makridis CA (2021) Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018. J. Cybersecurity 7(1):1–8.Google Scholar
• Mani D, Barua A, Whinston AB (2013) Outsourcing contracts and equity prices. Inform. Systems Res. 24(4):1028–1049.Link, Google Scholar
• Manning CD, Surdeanu M, Bauer J, Finkel JR, Bethard S, McClosky D (2014) The Stanford CoreNLP natural language processing toolkit. Proc. 52nd Annual Meeting Assoc. Comput. Linguistics System Demonstrations (Association for Computational Linguistics, Baltimore), 55–60.Google Scholar
• Martin KD, Borah A, Palmatier RW (2017) Data privacy: Effects on customer and firm performance. J. Marketing 81(1):36–58.Crossref, Google Scholar
• Martin X, Seo H, Yang J, Kim DS, Martel J (2023) Earnings performance targets in annual incentive plans and management earnings guidance. Accounting Rev. 98(4):289–319.Crossref, Google Scholar
• Merkl-Davies DM, Brennan NM (2007) Discretionary disclosure strategies in corporate narratives: Incremental information or impression management? J. Accounting Literature 27:116–196.Google Scholar
• Mishina Y, Block ES, Mannor MJ (2012) The path dependence of organizational reputation: How social judgment influences assessments of capability and character. Strategic Management J. 33(5):459–477.Crossref, Google Scholar
• Mizik N, Jacobson R (2003) Trading off between value creation and value appropriation: The financial implications of shifts in strategic emphasis. J. Marketing 67(1):63–76.Crossref, Google Scholar
• Modi SB, Wiles MA, Mishra S (2015) Shareholder value implications of service failures in triads: The case of customer information security breaches. J. Oper. Management 35:21–39.Crossref, Google Scholar
• Monica PRL (2017) Equifax shares plunge again: 35% in past week. CNN (September 14), https://money.cnn.com/2017/09/14/investing/equifax-stock/index.html.Google Scholar
• Morse EA, Raval V, Wingender JR Jr (2011) Market price effects of data security breaches. Inform. Security J. 20(6):263–273.Google Scholar
• Nikkhah HR, Grover V (2022) An empirical investigation of company response to data breaches. MIS Quart. 46(4):2163–2196.Crossref, Google Scholar
• NIST (2018) Framework for improving critical infrastructure cybersecurity version 1.1. Preprint, submitted April 16, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.Google Scholar
• Nixon RD, Hitt MA, Lee HU, Jeong E (2004) Market reactions to announcements of corporate downsizing actions and implementation strategies. Strategic Management J. 25(11):1121–1129.Crossref, Google Scholar
• Ohlson JA (1995) Earnings, book values, and dividends in equity valuation: An empirical perspective. Contemporary Accounting Res. 11(2):661–687.Crossref, Google Scholar
• Ott C (2020) The risks of mergers and acquisitions—Analyzing the incentives for risk reporting in Item 1A of 10-K filings. J. Bus. Res. 106:158–181.Crossref, Google Scholar
• Posey C, Roberts TL, Lowry PB, Bennett RJ, Courtney JF (2013) Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quart. 37(4):1189–1210.Crossref, Google Scholar
• Puhakainen P, Siponen M (2010) Improving employees’ compliance through information systems security training: An action research study. MIS Quart. 34(4):757–778.Crossref, Google Scholar
• Ranganathan CVBC, Brown CV (2006) ERP investments and the market value of firms: Toward an understanding of influential ERP project variables. Inform. Systems Res. 17(2):145–161.Link, Google Scholar
• Richardson VJ, Smith RE, Watson MW (2019) Much ado about nothing: The (lack of) economic impact of data privacy breaches. J. Inform. Systems 33(3):227–265.Crossref, Google Scholar
• Ridge JW, Ingram A, Abdurakhmonov M, Hasija D (2019) Market reactions to non-market strategy: Congressional testimony as an indicator of firm political influence. Strategic Management J. 40(10):1644–1667.Crossref, Google Scholar
• Romanosky S (2016) Examining the costs and causes of cyber incidents. J. Cybersecurity 2(2):121–135.Google Scholar
• Rubin DB (2001) Using propensity scores to help design observational studies: Application to the tobacco litigation. Health Services Outcomes Res. Methodology 2:169–188.Crossref, Google Scholar
• SEC (2011) CF disclosure guidance: Topic no. 2. Accessed April 10, 2024, https://www.Sec.Gov/divisions/corpfin/guidance/cfguidance-topic2.html.Google Scholar
• SEC (2018) Commission statement and guidance on public company cybersecurity disclosures. Accessed April 10, 2024, https://www.Sec.Gov/rules/interp/2018/33-10459.Pdf.Google Scholar
• Seo H (2021) Peer effects in corporate disclosure decisions. J. Accounting Econom. 71(1):101364.Crossref, Google Scholar
• She G (2022) The real effects of mandatory nonfinancial disclosure: Evidence from supply chain transparency. Accounting Rev. 97(5):399–425.Crossref, Google Scholar
• Shleifer A, Vishny RW (1997) A survey of corporate governance. J. Finance 52(2):737–783.Crossref, Google Scholar
• Singh PV, Sahoo N, Mukhopadhyay T (2014) How to attract and retain readers in enterprise blogging? Inform. Systems Res. 25(1):35–52.Link, Google Scholar
• Staiger DO, Stock JH (1994) Instrumental variables regression with weak instruments. Econometrica 65(3):557–586.Google Scholar
• Tanriverdi H, Uysal VB (2011) Cross-business information technology integration and acquirer value creation in corporate mergers and acquisitions. Inform. Systems Res. 22(4):703–720.Link, Google Scholar
• Tetlock PC (2007) Giving content to investor sentiment: The role of media in the stock market. J. Finance 62(3):1139–1168.Crossref, Google Scholar
• Thraya MF, Lichy J, Louizi A, Rzem M (2019) High-tech acquirers and the moderating role of corporate governance. J. High Tech. Management Res. 30(2):100354.Crossref, Google Scholar
• To TY, Navone M, Wu E (2018) Analyst coverage and the quality of corporate investment decisions. J. Corporate Finance 51:164–181.Crossref, Google Scholar
• Tu Z, Turel O, Yuan Y, Archer N (2015) Learning to cope with information security risks regarding mobile device loss or theft: An empirical examination. Inform. Management 52(4):506–517.Crossref, Google Scholar
• Tunyi AA (2021) Revisiting acquirer returns: Evidence from unanticipated deals. J. Corporate Finance 66:101789.Crossref, Google Scholar
• Tversky A, Kahneman D (1992) Advances in prospect theory: Cumulative representation of uncertainty. J. Risk Uncertainty 5:297–323.Crossref, Google Scholar
• United Nations (2019) The impact of digital technologies. Accessed April 10, 2024, https://www.un.org/en/un75/impact-digital-technologies.Google Scholar
• Wang T, Kannan KN, Ulmer JR (2013) The association between the disclosure and the realization of information security risk factors. Inform. Systems Res. 24(2):201–218.Link, Google Scholar
• Whittington R, Yakis‐Douglas B, Ahn K (2016) Cheap talk? Strategy presentations as a form of chief executive officer impression management. Strategic Management J. 37(12):2413–2424.Crossref, Google Scholar
• Wooldridge JM (2010) Econometric Analysis of Cross Section and Panel Data (MIT Press, Cambridge, MA).Google Scholar
• World Economic Forum (2023) The future of business is digital and sustainable, Here’s why. Accessed April 10 2024, https://www.weforum.org/agenda/2023/01/5-ways-digitalization-can-help-build-global-resilience-davos2023.Google Scholar
• Yayla AA, Hu Q (2011) The impact of information security events on the stock value of firms: The effect of contingency factors. J. Inform. Tech. 26:60–77.Crossref, Google Scholar
• Yip RW, Young D, Liu B, Wang Z (2022) Acquiring firms’ transparency and their returns around M&A announcements: Evidence from China. J. Internat. Accounting Auditing Taxation 48:100487.Crossref, Google Scholar
• Yu FF (2008) Analyst coverage and earnings management. J. Financial Econom. 88(2):245–271.Crossref, Google Scholar
• Zhang JL, Härdle WK, Chen CY, Bommes E (2016) Distillation of news flow into analysis of stock reactions. J. Bus. Econom. Statist. 34(4):547–563.Crossref, Google Scholar